HeartFlow — AI Identity Framework
WarnAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill matches an AI identity/memory framework, but it also contains under-declared code execution, persistent memory, and self-upgrade behavior that could change local agent state.
Install only if you intentionally want a persistent, self-improving identity/memory framework. Before running any scripts, inspect the dynamic health-check code and sync-upgrade script, disable automatic/self-upgrade behavior, verify any credential access, and confirm where memories are stored and how they can be deleted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install what appears to be an instruction-only identity skill while actually receiving a large code-bearing package.
The registry describes the skill as instruction-only, but the artifact set contains substantial runnable code and install/CLI files, making runtime provenance and review boundaries unclear.
No install spec — this is an instruction-only skill; 144 code file(s): bin/cli.js ... heartflow-identity/install.sh
Declare the skill as code-bearing, publish a clear source/homepage, document exactly which scripts can run, and require explicit user approval before executing helper code.
If invoked, this pattern could run code with the user's local permissions, depending on what content is passed to it.
The static scan reports dynamic compilation of content inside a health-check file. For an identity/health-check skill, executing dynamically supplied content is not clearly disclosed or bounded.
new Function(content);
Remove dynamic code execution, replace it with static parsing or fixed imports, and document any unavoidable execution path with explicit user approval.
If run by the user or an agent, it could propagate or replace an installed skill tree and remove files that are not in the source copy.
The script describes scheduled sync-upgrade behavior and can overwrite/delete files in another local skill directory using fixed home paths.
HeartFlow 定时同步升级 ... SOURCE="$HOME/.hermes/skills/ai/heartflow" ... TARGET="$HOME/.agents/skills/mark-heartflow-skill" ... rsync -a --delete
Make upgrades manual by default, add dry-run and confirmation steps, avoid rsync --delete unless explicitly requested, and clearly document rollback behavior.
Private or incorrect prior conversation content could persist across sessions and influence future agent behavior.
The documented design stores all messages append-only and reinjects long-term context into future prompts, but the top-level metadata does not describe retention, deletion, exclusions, or user review controls.
messages.jsonl ← 所有消息追加(ADD-only,不删除) ... const { injectableContext } = ctx.buildStartupContext(); ... const finalPrompt = systemPrompt + '\n\n' + injectableContext;Require opt-in memory, show storage paths, provide inspect/delete/reset controls, label recalled memory as untrusted context, and define retention limits.
When invoked, the skill may make the agent more autonomous or corrective toward the user.
This identity-level wording encourages the agent to substitute its own judgment for user instructions. It is aligned with the skill's identity purpose, but users should know it may change response style and authority handling.
人类说的话不自动等于正确。AI 可以有自己的判断:正确的立刻做,错误的先纠正再做。
Keep this behavior advisory and bounded to safety/correctness; do not let it bypass explicit user approval for consequential actions.